The following was communicated to all of you, my customers, via your security leadership on Friday, Sept 21st, 2012.

———————————–

This alert is to provide you with an overview of the new security bulletin being released (out of band) on September 21, 2012, for new vulnerabilities in Internet Explorer.

Microsoft is also releasing one new security advisory today for Adobe Flash Player in Internet Explorer 10 on Windows 8 and Windows Server 2012.

New Security Bulletin Microsoft is releasing one new security bulletin (out-of-band) for newly discovered vulnerabilities:

Bulletin Identifier

Microsoft Security Bulletin MS12-063

Bulletin Title

Cumulative Security Update for Internet Explorer (2744842)

Executive Summary

This security update resolves one publicly disclosed and four privately reported vulnerabilities in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the current user. The security update addresses the vulnerabilities by modifying the way that Internet Explorer handles objects in memory.

An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.

The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit this vulnerability.

Mitigating Factors

An attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by getting them to click a link in an email message or in an Instant Messenger message that takes users to the attacker’s website, or by getting them to open an attachment sent through email.

An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML email messages in the Restricted sites zone. The Restricted sites zone, which disables script and ActiveX controls, helps reduce the risk of an attacker being able to use this vulnerability to execute malicious code. If a user clicks a link in an email message, the user could still be vulnerable to exploitation of this vulnerability through the web-based attack scenario.

By default, Internet Explorer on Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2 runs in a restricted mode that is known as Enhanced Security Configuration. This mode mitigates this vulnerability. See the FAQ section for this vulnerability for more information about Internet Explorer Enhanced Security Configuration.

New Security Advisory Microsoft published one new security advisory on September 21, 2012. Here is an overview of this new security advisory:

Security Advisory 2755801

Update for Vulnerabilities in Adobe Flash Player in Internet Explorer 10

Affected Software

Internet Explorer 10 on Windows 8 and Windows Server 2012

Executive Summary

Microsoft is announcing the availability of an update for Adobe Flash Player in Internet Explorer 10 on all supported editions of Windows 8 and Windows Server 2012. The update addresses the vulnerabilities in Adobe Flash Player by updating the affected Adobe Flash libraries contained within Internet Explorer 10.

Mitigations

In a web-based attack scenario where the user is using Internet Explorer 10 for the desktop, an attacker could host a website that contains a webpage that is used to exploit any of these vulnerabilities. In addition, compromised websites and websites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit any of these vulnerabilities. In all cases, however, an attacker would have no way to force users to visit these websites. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes users to the attacker’s website.

Internet Explorer 10 in the Windows 8-style UI will only play Flash content from sites listed on the Compatibility View (CV) list. This restriction requires an attacker to first compromise a website already listed in the CV list. An attacker could then host specially crafted Flash content designed to exploit any of these vulnerabilities through Internet Explorer and then convince a user to view the website. An attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by clicking a link in an email message or in an Instant Messenger message that takes users to the attacker’s website, or by opening an attachment sent through email.

By default, all supported versions of Microsoft Outlook and Windows Live Mail open HTML email messages in the Restricted sites zone. The Restricted sites zone, which disables script and ActiveX controls, helps reduce the risk of an attacker being able to use any of these vulnerabilities to execute malicious code. If a user clicks a link in an email message, the user could still be vulnerable to exploitation of any of these vulnerabilities through the web-based attack scenario.

By default, Internet Explorer on Windows Server 2012 runs in a restricted mode that is known as Enhanced Security Configuration. This mode can help reduce the likelihood of exploitation by these vulnerabilities in Adobe Flash Player in Internet Explorer 10

Regarding Information Consistency We strive to provide you with accurate information in static (this mail) and dynamic (web-based) content. Microsoft’s security content posted to the web is occasionally updated to reflect late-breaking information. If this results in an inconsistency between the information here and the information in Microsoft’s web-based security content, the information in Microsoft’s web-based security content is authoritative.